mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-10 15:48:13 +01:00
Fixes for GeoIP
- Correct check for valid ACTION - Add to Shorewall6/actions.std - Only use geoip once per invocation Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
63ae00e4a4
commit
17e25932f0
@ -38,7 +38,8 @@ DEFAULTS -,-,src,-
|
|||||||
|
|
||||||
BEGIN PERL;
|
BEGIN PERL;
|
||||||
|
|
||||||
use Shorewall::Chains;
|
use strict;
|
||||||
|
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||||
|
|
||||||
my ( $countries, $action, $srcdst, $audit ) = get_action_params( 4 );
|
my ( $countries, $action, $srcdst, $audit ) = get_action_params( 4 );
|
||||||
|
|
||||||
@ -300,21 +301,32 @@ my $chainref = get_action_chain;
|
|||||||
my ( $level, $tag ) = get_action_logging;
|
my ( $level, $tag ) = get_action_logging;
|
||||||
my $target = require_audit ( $action , $audit );
|
my $target = require_audit ( $action , $audit );
|
||||||
|
|
||||||
fatal_error "Either an action or a log level must be specified" unless $target || $level ne '';
|
|
||||||
|
|
||||||
$countries =~ s/\|/,/g;
|
$countries =~ s/\|/,/g;
|
||||||
|
my @countries = split_list $countries, 'cc';
|
||||||
|
|
||||||
for ( split_list $countries, 'cc' ) {
|
for ( @countries ) {
|
||||||
fatal_error "Unknown ISO 3661 Country Code ($_)" unless $isocodes{$_};
|
fatal_error "Unknown ISO 3661 Country Code ($_)" unless $isocodes{$_};
|
||||||
}
|
}
|
||||||
|
|
||||||
log_rule_limit $level, $chainref, 'GeoIP' , $target ? $target : 'LOG' , '', $tag, 'add', "-m geoip --${srcdst}-cc $countries" if $level ne '';
|
$tag = $countries[0] unless $tag || @countries > 1;
|
||||||
|
|
||||||
if ( $target ne '' ) {
|
if ( $target ne '' ) {
|
||||||
my $targettype = $targets{$target} || 0;
|
my $targettype = $targets{$target} || 0;
|
||||||
fatal_error "Unknown ACTION ($target)" unless $targettype;
|
fatal_error "Unknown ACTION ($target)" unless $targettype;
|
||||||
fatal_error "The $target action may not be passed to GeoIP" unless $targettype | (STANDARD | CHAIN );
|
fatal_error "The $target action may not be passed to GeoIP" if ( ! $targettype & (STANDARD | CHAIN | ACTION ) ) || ( $targettype & ( NATRULE | NONAT ) );
|
||||||
|
|
||||||
|
if ( $level ne '' ) {
|
||||||
|
my $chain1ref = ensure_filter_chain( newlogchain('filter' ), 0 );
|
||||||
|
log_rule_limit $level, $chain1ref, $chainref->{name}, $target ? $target : 'LOG' , '', $tag, 'add', '';
|
||||||
|
add_ijump( $chain1ref, j => $target );
|
||||||
|
$target = $chain1ref->{name};
|
||||||
|
}
|
||||||
|
|
||||||
add_ijump $chainref , j => $target, geoip => "--${srcdst}-cc $countries";
|
add_ijump $chainref , j => $target, geoip => "--${srcdst}-cc $countries";
|
||||||
|
} elsif ( $level ne '' ) {
|
||||||
|
log_rule_limit $level, $chainref, 'GeoIP' , $target ? $target : 'LOG' , '', $tag, 'add', "-m geoip --${srcdst}-cc $countries";
|
||||||
|
} else {
|
||||||
|
fatal_error "Either an action or a log level must be specified";
|
||||||
}
|
}
|
||||||
|
|
||||||
allow_optimize( $chainref );
|
allow_optimize( $chainref );
|
||||||
|
@ -26,6 +26,7 @@ AllowICMPs # Accept needed ICMP6 types
|
|||||||
Broadcast # Handles Broadcast/Multicast/Anycast
|
Broadcast # Handles Broadcast/Multicast/Anycast
|
||||||
Drop # Default Action for DROP policy
|
Drop # Default Action for DROP policy
|
||||||
DropSmurfs # Handles packets with a broadcast source address
|
DropSmurfs # Handles packets with a broadcast source address
|
||||||
|
GeoIP # Match packets by ISO 3166 Country Code
|
||||||
Invalid # Handles packets in the INVALID conntrack state
|
Invalid # Handles packets in the INVALID conntrack state
|
||||||
NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
|
NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0
|
||||||
Reject # Default Action for REJECT policy
|
Reject # Default Action for REJECT policy
|
||||||
|
Loading…
Reference in New Issue
Block a user